Customer Due Diligence (CDD) is not on top of most people’s list of fun things to do, but it has become an essential part of daily working life for those of us who need to verify customer’s identity and/or source of wealth and/or funds.
Here at tic company we have carried out thousands of identity verifications and use our AMLOnline portal to make life easier, but even with great technology to help us it is important to understand the different types of customer due diligence and how and when to carry them out.
Here we dive into the five different types of customer due diligence and what it means for businesses.
What is customer due diligence?
To put it simply, customer due diligence – sometimes also called know your customer (KYC) – is the process of collecting customer data to ensure customers are who they say they are, and to determine the level of risk they may present to your business. Identifying data can include official documents with the customers name and photograph which confirms their identity, birth date and residential address.
- Documentary verification
- Electronic verification
Verification of address can be done using documents, data or information issued by a reliable and independent source.
When is customer due diligence required?
CDD is required when a business which is bound by AML regulations starts a business relationship with a customer or a potential customer, or their relationship with an existing customer ‘materially changes’ and they need to verify customer identity and risk profile.
The Financial Action Task Force (FATF) advise customer due diligence should be carried out when:
establishing business relations;
carrying out occasional transactions: (i) above the applicable designated threshold which is currently $10,000; or (ii) that are wire transfers in the circumstances covered by the Interpretative Note to Special Recommendation VII;
there is a suspicion of money laundering or terrorist financing;
you have doubts about the veracity or adequacy of previously obtained customer identification data.
For many businesses dealing with financial transactions this means carrying out due diligence checks on hundreds of customers every year. And CDD checks are not just restricted to the actual customer but also other people who are associated with your customer.
Who do businesses need to include in their due diligence process?
any beneficial owner of a client (the person who ultimately controls the customer); and
any person acting on behalf of a client (the person operating or transacting on an account or facility that is held by your customer).
The reason for these inclusions is so that you can verify identities and relationships associated with your customer as well as form a better understanding of the level of money laundering and terrorist financing risk associated with your customer.
This can all seem a bit daunting and time consuming when you have a million tasks to get through each day but compliance is essential to ensure you comply with the AML/CFT Act. Not doing so can have serious financial consequences for your business. In May 2021 we saw the Reserve Bank file legal action against TSB for breaches of the AML/CFT Act which has resulted in TSB agreeing to pay $3.85 million in penalties.
Having a compliance officer in your business who understands what needs to be done to comply with regulations and/or working with a reputable AML company can help you stay on track and guide you through AML audits as well as ensuring you are following the right customer due diligence processes.
Types of customer due diligence
There are five types of customer due diligence processes and it is important to use the right one for any given situation:
Standard CDD
Simplified CDD
Enhanced CDD
Delayed CDD
Ongoing CDD
Standard CDD
Use standard customer due diligence when you need to obtain information about the nature and purpose of the proposed business relationship and your customer has not been assessed as high risk (note, if your customer is a trust this automatically triggers enhanced customer due diligence as they are considered high risk).
What you need to do
Identify Entities – gather identifying information on your customer, the beneficial owner(s), and any person acting on behalf of your customer. Data to be obtained includes:
the person’s full name; and
the person’s date of birth; and
if the person is not the customer, the person’s relationship to the customer; and
the person’s address or registered office; and
nature and purpose of the proposed business relationship; and
any information prescribed by regulations.
Determine Risk – decide on the level of money laundering and terrorist financing risk involved. Collect sufficient information to determine whether enhanced CDD needs to be conducted on the customer.
Verify Information – according to that level of risk, verify the identity of relevant persons, including natural persons using the Explanatory Note: Electronic Identity Verification Guideline July 2021. This Explanatory Note provides best practice advice for businesses carrying out name and date of birth identity verification on customers (that are natural persons) that have been assessed to be low to medium risk.
Simplified CDD
Generally, simplified customer due diligence relates to customers that are already subject to transparency and public disclosure. These are prescribed entities as identified in 18(2) of the AML/CFT Act such as government entities, local authorities or public service agencies.
What you need to do
Meet The Criteria – identify and record that the customer meets the criteria for simplified CDD. Check it on the list in section 18(2) of the AML/CFT Act.
Nature And Purpose – obtain information about the nature and purpose of the proposed business relationship between you and the customer.
Identify Entities – record the full name of the entity in question and a brief explanation of how it falls within the section. Information needs to be gathered about the identity of a person acting on behalf of the entity.
Determine Risk – according to that level of risk, verify the identity of the person and their authority to act on behalf of the local authority using the Amended Identity Verification Code of Practice.
Enhanced CDD
Enhanced customer due diligence is used for high risk clients. This may be when:
Your customer has a trust or another vehicle for holding personal assets.
Your customer is a non-resident client from a country that has insufficient anti-money laundering and countering financing of terrorism systems or measures in place.
Your customer has a company with nominee shareholders or shares in bearer form.
Your customer is a politically exposed person (PEP).
You consider that the level of risk involved is such that enhanced CDD should apply.
These requirements fall under section 22 of the AML/CFT Act.
What you need to do
Nature and Purpose – obtain information about the nature and purpose of the proposed business relationship between you and the customer.
Identify and Verify Identities – identity information must be gathered about a customer, the beneficial owner(s), and a person acting on behalf of a customer and verify their information.
Source of Wealth/Funds – Obtain information about your customer’s source of wealth or source of funds. You must record this information and take reasonable steps, according to the level of risk involved, to verify this information using other reliable and independent sources
Delayed CDD
Generally, you must not commence work until client verification has been completed. However, in some circumstances you may begin work before completing customer due diligence if it is essential work required to prevent the interruption of normal business practice, and there is little risk of money laundering or terrorist financing occurring.
What you need to do
Customer Must Be Identified – you must still be able to satisfy the know your customer (KYC) requirements and be aware of the entity you are entering into a relationship with and any beneficial owners or effective controllers.
Complete As Soon As Possible – verification of identity must be completed as soon as is practicable once the business relationship has been established
Respond Appropriately – if you are unable to complete the verification checks required or changes occur you must take appropriate action. If you identify anything suspicious you must file a Suspicious Activity Report (SAR) with the Financial Intelligence Unit (FIU).
Ongoing CDD
Use ongoing customer due diligence systematically so that you can ensure that your customer’s activities and/or transactions are consistent with the information and data you have previously acquired.
In the ordinary course of business where a customer is considered low risk the CDD process should be carried out every 12 months, where the customer is considered medium to high risk this should occur every 6 months plus any other reasonable time. For example, every time there is a material change in your customers transactions, CDD should be undertaken.
Be sure to record in your compliance programme how often and when ongoing customer due diligence should take place.
What you need to do
Confirm Consistency – ensure that the business relationship and the transactions relating to that business relationship are consistent with your knowledge about the customer and the customer’s business and risk profile.
Maintain Records – make sure that you have up to date records relating to the customer and any entities with beneficial ownership or effective control. Your verification records must be up to date.
Regular Review – you must consider (a) the type of customer due diligence conducted when the business relationship with the customer was established; and (b) the level of risk involved to determine if you need to redo your CDD checks.
Respond To Changes – if the nature and purpose of your relationship with the customer changes you must respond appropriately and complete checks at the necessary level. If you identify anything suspicious you must file a SAR with the FIU.
Customer Due Diligence in Summary
While taking care of customer due diligence can be time consuming you can make it easier by following the correct processes and getting the right foundations in place:
Designate someone in your business as an AML/CFT compliance officer.
Assess and document the money laundering and terrorist financing risks your business may face.
Establish an AML/CFT compliance programme setting out how you’ll detect and manage these risks.
On an ongoing basis:
Verify the identity of customers before providing any service covered by the AML/CFT Act. In some circumstances (such as if they represent a company or trust), you may also need to ask for information about where money came from and the other people involved.
Monitor customers (you will have to monitor the transactions) to identify potential warning signs of money laundering and terrorism financing.
Report any suspicious activity to the FIU.
Submit an annual report to the supervisor of your sector.
Regularly review your risk assessment and compliance programme.
Have your risk assessment and compliance programme audited regularly.
And you don’t have to do this alone. The FMA, DIA and FIU provide guides on AML/CFT compliance, legislation and codes of practice. These can be accessed through the relevant authority.
You can also consider outsourcing your AML compliance activity which will help you stay AML compliant, reduce the AML burden and will generally be quicker and less intrusive for both you and your customer. Dr AML provides a guide on how to choose the right AML provider which outlines the things to ask and look for.
tic company 
Nick Ashford 
